249 lines
11 KiB
Smarty
249 lines
11 KiB
Smarty
{{/* Define the configmap */}}
|
|
{{- define "authelia.configmap" -}}
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: authelia-paths
|
|
data:
|
|
AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
|
|
AUTHELIA_JWT_SECRET_FILE: "/secrets/JWT_TOKEN"
|
|
AUTHELIA_SESSION_SECRET_FILE: "/secrets/SESSION_ENCRYPTION_KEY"
|
|
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: "/secrets/ENCRYPTION_KEY"
|
|
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: "/secrets/STORAGE_PASSWORD"
|
|
{{- if .Values.authentication_backend.ldap.enabled }}
|
|
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE: "/secrets/LDAP_PASSWORD"
|
|
{{- end }}
|
|
{{- if .Values.notifier.smtp.enabled }}
|
|
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: "/secrets/SMTP_PASSWORD"
|
|
{{- end }}
|
|
AUTHELIA_SESSION_REDIS_PASSWORD_FILE: "/secrets/REDIS_PASSWORD"
|
|
{{- if .Values.redisProvider.high_availability.enabled }}
|
|
AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE: "/secrets/REDIS_SENTINEL_PASSWORD"
|
|
{{- end }}
|
|
{{- if .Values.duo_api.enabled }}
|
|
AUTHELIA_DUO_API_SECRET_KEY_FILE: "/secrets/DUO_API_KEY"
|
|
{{- end }}
|
|
{{- if .Values.identity_providers.oidc.enabled }}
|
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: "/secrets/OIDC_HMAC_SECRET"
|
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: "/secrets/OIDC_PRIVATE_KEY"
|
|
{{- end }}
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: authelia-configfile
|
|
data:
|
|
configuration.yaml: |
|
|
---
|
|
theme: {{ default "light" .Values.theme }}
|
|
default_redirection_url: {{ default (printf "https://www.%s" .Values.domain) .Values.default_redirection_url }}
|
|
server:
|
|
host: 0.0.0.0
|
|
port: {{ default 9091 .Values.server.port }}
|
|
{{- if not (eq "" (default "" .Values.server.path)) }}
|
|
path: {{ .Values.server.path }}
|
|
{{- end }}
|
|
read_buffer_size: {{ default 4096 .Values.server.read_buffer_size }}
|
|
write_buffer_size: {{ default 4096 .Values.server.write_buffer_size }}
|
|
enable_pprof: {{ default false .Values.server.enable_pprof }}
|
|
enable_expvars: {{ default false .Values.server.enable_expvars }}
|
|
log:
|
|
level: {{ default "info" .Values.log.level }}
|
|
format: {{ default "text" .Values.log.format }}
|
|
{{- if not (eq "" (default "" .Values.log.file_path)) }}
|
|
file_path: {{ .Values.log.file_path }}
|
|
keep_stdout: true
|
|
{{- end }}
|
|
totp:
|
|
issuer: {{ default .Values.domain .Values.totp.issuer }}
|
|
period: {{ default 30 .Values.totp.period }}
|
|
skew: {{ default 1 .Values.totp.skew }}
|
|
{{- if .Values.duo_api.enabled }}
|
|
duo_api:
|
|
hostname: {{ .Values.duo_api.hostname }}
|
|
integration_key: {{ .Values.duo_api.integration_key }}
|
|
{{- end }}
|
|
{{- with $auth := .Values.authentication_backend }}
|
|
authentication_backend:
|
|
disable_reset_password: {{ $auth.disable_reset_password }}
|
|
{{- if $auth.file.enabled }}
|
|
file:
|
|
path: {{ $auth.file.path }}
|
|
password: {{ toYaml $auth.file.password | nindent 10 }}
|
|
{{- end }}
|
|
{{- if $auth.ldap.enabled }}
|
|
ldap:
|
|
implementation: {{ default "custom" $auth.ldap.implementation }}
|
|
url: {{ $auth.ldap.url }}
|
|
timeout: {{ default "5s" $auth.ldap.timeout }}
|
|
start_tls: {{ $auth.ldap.start_tls }}
|
|
tls:
|
|
{{- if hasKey $auth.ldap.tls "server_name" }}
|
|
server_name: {{ default $auth.ldap.host $auth.ldap.tls.server_name }}
|
|
{{- end }}
|
|
minimum_version: {{ default "TLS1.2" $auth.ldap.tls.minimum_version }}
|
|
skip_verify: {{ default false $auth.ldap.tls.skip_verify }}
|
|
{{- if $auth.ldap.base_dn }}
|
|
base_dn: {{ $auth.ldap.base_dn }}
|
|
{{- end }}
|
|
{{- if $auth.ldap.username_attribute }}
|
|
username_attribute: {{ $auth.ldap.username_attribute }}
|
|
{{- end }}
|
|
{{- if $auth.ldap.additional_users_dn }}
|
|
additional_users_dn: {{ $auth.ldap.additional_users_dn }}
|
|
{{- end }}
|
|
{{- if $auth.ldap.users_filter }}
|
|
users_filter: {{ $auth.ldap.users_filter }}
|
|
{{- end }}
|
|
{{- if $auth.ldap.additional_groups_dn }}
|
|
additional_groups_dn: {{ $auth.ldap.additional_groups_dn }}
|
|
{{- end }}
|
|
{{- if $auth.ldap.groups_filter }}
|
|
groups_filter: {{ $auth.ldap.groups_filter }}
|
|
{{- end }}
|
|
{{- if $auth.ldap.group_name_attribute }}
|
|
group_name_attribute: {{ $auth.ldap.group_name_attribute }}
|
|
{{- end }}
|
|
{{- if $auth.ldap.mail_attribute }}
|
|
mail_attribute: {{ $auth.ldap.mail_attribute }}
|
|
{{- end }}
|
|
{{- if $auth.ldap.display_name_attribute }}
|
|
display_name_attribute: {{ $auth.ldap.display_name_attribute }}
|
|
{{- end }}
|
|
user: {{ $auth.ldap.user }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with $session := .Values.session }}
|
|
session:
|
|
name: {{ default "authelia_session" $session.name }}
|
|
domain: {{ required "A valid .Values.domain entry required!" $.Values.domain }}
|
|
same_site: {{ default "lax" $session.same_site }}
|
|
expiration: {{ default "1M" $session.expiration }}
|
|
inactivity: {{ default "5m" $session.inactivity }}
|
|
remember_me_duration: {{ default "1M" $session.remember_me_duration }}
|
|
{{- end }}
|
|
redis:
|
|
host: {{ .Values.redis.url.plain }}
|
|
{{- with $redis := .Values.redisProvider }}
|
|
port: {{ default 6379 $redis.port }}
|
|
{{- if not (eq $redis.username "") }}
|
|
username: {{ $redis.username }}
|
|
{{- end }}
|
|
maximum_active_connections: {{ default 8 $redis.maximum_active_connections }}
|
|
minimum_idle_connections: {{ default 0 $redis.minimum_idle_connections }}
|
|
{{- if $redis.tls.enabled }}
|
|
tls:
|
|
server_name: {{ $redis.tls.server_name }}
|
|
minimum_version: {{ default "TLS1.2" $redis.tls.minimum_version }}
|
|
skip_verify: {{ $redis.tls.skip_verify }}
|
|
{{- end }}
|
|
{{- if $redis.high_availability.enabled }}
|
|
high_availability:
|
|
sentinel_name: {{ $redis.high_availability.sentinel_name }}
|
|
{{- if $redis.high_availability.nodes }}
|
|
nodes: {{ toYaml $redis.high_availability.nodes | nindent 10 }}
|
|
{{- end }}
|
|
route_by_latency: {{ $redis.high_availability.route_by_latency }}
|
|
route_randomly: {{ $redis.high_availability.route_randomly }}
|
|
{{- end }}
|
|
{{- end }}
|
|
regulation: {{ toYaml .Values.regulation | nindent 6 }}
|
|
storage:
|
|
postgres:
|
|
host: {{ printf "%v-%v" .Release.Name "postgresql" }}
|
|
{{- with $storage := .Values.storage }}
|
|
port: {{ default 5432 $storage.postgres.port }}
|
|
database: {{ default "authelia" $storage.postgres.database }}
|
|
username: {{ default "authelia" $storage.postgres.username }}
|
|
timeout: {{ default "5s" $storage.postgres.timeout }}
|
|
sslmode: {{ default "disable" $storage.postgres.sslmode }}
|
|
{{- end }}
|
|
{{- with $notifier := .Values.notifier }}
|
|
notifier:
|
|
disable_startup_check: {{ $.Values.notifier.disable_startup_check }}
|
|
{{- if $notifier.filesystem.enabled }}
|
|
filesystem:
|
|
filename: {{ $notifier.filesystem.filename }}
|
|
{{- end }}
|
|
{{- if $notifier.smtp.enabled }}
|
|
smtp:
|
|
host: {{ $notifier.smtp.host }}
|
|
port: {{ default 25 $notifier.smtp.port }}
|
|
timeout: {{ default "5s" $notifier.smtp.timeout }}
|
|
username: {{ $notifier.smtp.username }}
|
|
sender: {{ $notifier.smtp.sender }}
|
|
identifier: {{ $notifier.smtp.identifier }}
|
|
subject: {{ $notifier.smtp.subject | quote }}
|
|
startup_check_address: {{ $notifier.smtp.startup_check_address }}
|
|
disable_require_tls: {{ $notifier.smtp.disable_require_tls }}
|
|
disable_html_emails: {{ $notifier.smtp.disable_html_emails }}
|
|
tls:
|
|
server_name: {{ default $notifier.smtp.host $notifier.smtp.tls.server_name }}
|
|
minimum_version: {{ default "TLS1.2" $notifier.smtp.tls.minimum_version }}
|
|
skip_verify: {{ default false $notifier.smtp.tls.skip_verify }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.identity_providers.oidc.enabled }}
|
|
identity_providers:
|
|
oidc:
|
|
access_token_lifespan: {{ default "1h" .Values.identity_providers.oidc.access_token_lifespan }}
|
|
authorize_code_lifespan: {{ default "1m" .Values.identity_providers.oidc.authorize_code_lifespan }}
|
|
id_token_lifespan: {{ default "1h" .Values.identity_providers.oidc.id_token_lifespan }}
|
|
refresh_token_lifespan: {{ default "90m" .Values.identity_providers.oidc.refresh_token_lifespan }}
|
|
enable_client_debug_messages: {{ default false .Values.identity_providers.oidc.enable_client_debug_messages }}
|
|
minimum_parameter_entropy: {{ default 8 .Values.identity_providers.oidc.minimum_parameter_entropy }}
|
|
{{- if gt (len .Values.identity_providers.oidc.clients) 0 }}
|
|
clients:
|
|
{{- range $client := .Values.identity_providers.oidc.clients }}
|
|
- id: {{ $client.id }}
|
|
description: {{ default $client.id $client.description }}
|
|
secret: {{ default (randAlphaNum 128) $client.secret }}
|
|
{{- if $client.public }}
|
|
public: {{ $client.public }}
|
|
{{- end }}
|
|
authorization_policy: {{ default "two_factor" $client.authorization_policy }}
|
|
redirect_uris:
|
|
{{- range $client.redirect_uris }}
|
|
- {{ . }}
|
|
{{- end }}
|
|
{{- if $client.audience }}
|
|
audience: {{ toYaml $client.audience | nindent 10 }}
|
|
{{- end }}
|
|
scopes: {{ toYaml (default (list "openid" "profile" "email" "groups") $client.scopes) | nindent 10 }}
|
|
grant_types: {{ toYaml (default (list "refresh_token" "authorization_code") $client.grant_types) | nindent 10 }}
|
|
response_types: {{ toYaml (default (list "code") $client.response_types) | nindent 10 }}
|
|
{{- if $client.response_modes }}
|
|
response_modes: {{ toYaml $client.response_modes | nindent 10 }}
|
|
{{- end }}
|
|
userinfo_signing_algorithm: {{ default "none" $client.userinfo_signing_algorithm }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
access_control:
|
|
{{- if (eq (len .Values.access_control.rules) 0) }}
|
|
{{- if (eq .Values.access_control.default_policy "bypass") }}
|
|
default_policy: one_factor
|
|
{{- else if (eq .Values.access_control.default_policy "deny") }}
|
|
default_policy: two_factor
|
|
{{- else }}
|
|
default_policy: {{ .Values.access_control.default_policy }}
|
|
{{- end }}
|
|
{{- else }}
|
|
default_policy: {{ .Values.access_control.default_policy }}
|
|
{{- end }}
|
|
{{- if (eq (len .Values.access_control.networks) 0) }}
|
|
networks: []
|
|
{{- else }}
|
|
networks: {{ toYaml .Values.access_control.networks | nindent 6 }}
|
|
{{- end }}
|
|
{{- if (eq (len .Values.access_control.rules) 0) }}
|
|
rules: []
|
|
{{- else }}
|
|
rules: {{ toYaml .Values.access_control.rules | nindent 6 }}
|
|
{{- end }}
|
|
...
|
|
{{- end -}}
|